Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A method, comprising: presenting an application; receiving an indication of a computing device to select the application to generate a selected application; transmitting a request to update a profile of a host to reflect configuration information related to the selected application; configuring the profile for use with a reverse firewall device; determining a rate of communications from the host attributable to the selected application that are unauthorized based on the profile, the rate of communications being computed as a ratio of a number of message units per unit of time; using the reverse firewall device to determine whether to block a particular communication from the host based on the rate of communications from the host that are unauthorized based on the profile; and configuring the reverse firewall device to use a throttling discipline and out-of-profile counter to determine whether to block the particular communication from the host.
The system provides a method for application provisioning with enhanced security. It presents available applications, receives a selection from a computing device, and generates a profile update request for the host device. This profile, configured for use by a reverse firewall, governs network communication permissions. The system calculates the rate of unauthorized communications from the host, based on message units per unit of time, determined by comparing actual traffic against the defined profile. A reverse firewall blocks communication based on this rate of unauthorized activity and employs throttling and an out-of-profile counter to further refine blocking decisions.
2. The method of claim 1 , further comprising: transmitting a request to update the profile while the profile is empty of configuration information before transmitting a request to update the profile of the host.
In addition to the application provisioning method described in claim 1, the system first transmits a request to update the profile while the profile is initially empty of configuration information. This ensures a clean state before provisioning begins, establishing a baseline for the host's network communication permissions before any application-specific rules are applied. This initial empty profile update preceeds the application specific update request sent to the host, improving security.
3. The method of claim 1 , wherein the configuration information comprises information indicating an internal host that the selected application is configured to access.
Expanding on the application provisioning method described in claim 1, the configuration information included in the host profile specifies the internal host or server that the selected application is permitted to access. This allows the reverse firewall to restrict the application's network activity, ensuring it only communicates with authorized internal resources and preventing lateral movement within the network.
4. The method of claim 1 , further comprising: updating data that corresponds to the selected application to reflect the configuration information, wherein the configuration information is predetermined configuration information; and transmitting the data that corresponds to the selected application.
Complementing the application provisioning method outlined in claim 1, the system updates the application data itself to reflect predetermined configuration information before it is transmitted to the host. By embedding configuration settings directly into the application package, the system ensures the application is pre-configured and ready to operate within the defined security parameters enforced by the reverse firewall.
5. The method of claim 1 , further comprising: receiving the configuration information; updating data that corresponds to the selected application to reflect the configuration information; and transmitting the data that corresponds to the selected application.
Augmenting the application provisioning method presented in claim 1, the system receives configuration information externally, updates the data corresponding to the selected application to reflect the configuration information, and transmits this updated application data to the host. This dynamic configuration allows for customized application settings to be delivered to the host, further enhancing security.
6. An apparatus, comprising: a processor that executes instructions; a memory coupled to the processor and configured to store data corresponding to a selected application that comprises the instructions, the instructions when executed by the processor causing the processor to perform operations comprising: presenting an application choice for download to a host; receiving an indication to select the application for download to the host to generate a selected application; transmitting data that corresponds to the selected application, and transmitting a request to update a profile of the host to reflect configuration information of the selected application, the updated profile indicating whether to block a particular communication from the host; and a reverse firewall device to determine a rate of communications from the host attributable to the selected application that are unauthorized based on the profile, the rate of communications being computed as a ratio of a number of message units per unit of time, to determine whether to block the particular communication from the host based on the rate of communications from the host that are unauthorized based on the profile, and to apply a throttling discipline to communication from the host based on the profile.
The system features an application provisioning apparatus. It comprises a processor and memory, configured to store application data and execute instructions. The processor presents application choices for download, receives a selection, transmits the selected application data, and sends a profile update request to the host, embedding configuration information, indicating whether to block communications. A reverse firewall determines the rate of unauthorized communication from the host by application, calculates the message unit ratio per time, determines whether to block activity based on the rate of unauthorized activity, and applies a throttling discipline based on the host's profile.
7. The apparatus of claim 6 , further comprising: an out-of-profile counter to generate a count of out-of-profile communications from the host, the reverse firewall device being further to determine whether to block the particular communication from the host based on the count of out-of-profile communications from the host.
Expanding on the apparatus described in claim 6, an out-of-profile counter generates a tally of communications violating the defined profile. The reverse firewall then uses this count to determine whether to block a particular communication, supplementing the rate-based blocking mechanism with a threshold-based approach.
8. The apparatus of claim 6 , the configuration information being predetermined configuration information.
Referencing the apparatus defined in claim 6, the configuration information used for the host profile is predetermined. This means the application is designed to use a static config.
9. The apparatus of claim 6 , wherein the operations further comprise: receiving the configuration information; and updating the data that corresponds to the selected application to reflect the received configuration information.
Expanding on the apparatus described in claim 6, the operations further include receiving configuration information and updating the application data to reflect these configurations. This enables dynamic customization.
10. A non-transitory computer-readable medium comprising instructions which, when executed by a computing device, cause the computing device to perform operations comprising: presenting an application; receiving an indication to select the application to generate a selected application for downloading to a host; transmitting data that corresponds to the selected application to the host; configure the profile for use with a reverse firewall device; determining a rate of communications from the host attributable to the selected application that are unauthorized based on the profile, the rate of communications being computed as a ratio of a number of message units per unit of time; using the reverse firewall device to determine whether to block a particular communication from the host based on the rate of communications from the host that are unauthorized based on the profile; and configuring the reverse firewall device to use a throttling discipline and out-of-profile counter to determine whether to block the particular communication from the host.
The system comprises a non-transitory computer-readable medium containing instructions that, when executed, cause a computing device to perform application provisioning operations. These operations include presenting an application, receiving a selection, and generating an update request for the host's profile. The system then configures the profile for the reverse firewall and determines the rate of unauthorized communication based on the profile as message units per time. The reverse firewall blocks communications based on the rate of unauthorized communications, and the system configures it to use throttling and an out-of-profile counter.
11. The non-transitory computer-readable medium of claim 10 , wherein the configuration information is predetermined configuration information.
Referencing the computer-readable medium described in claim 10, the configuration information is predetermined, representing static configuration.
12. The non-transitory computer-readable medium of claim 10 , wherein the operations further comprise: receiving the configuration information and update data that corresponds to the selected application to reflect the received configuration information.
Expanding on the computer-readable medium described in claim 10, the operations include receiving configuration information and updating the application data to reflect this information, enabling custom configuration.
13. The non-transitory computer-readable medium of claim 10 , wherein the profile comprises a 4-tuple rule defined by protocol, client, server port, and server profile.
Expanding on the computer-readable medium of claim 10, the profile used by the reverse firewall is defined by a 4-tuple rule consisting of protocol, client IP, server port, and server profile.
14. The non-transitory computer-readable medium of claim 10 , wherein the profile comprises a 3-tuple rule defined by protocol, client, and server profile.
Expanding on the computer-readable medium of claim 10, the profile used by the reverse firewall is defined by a 3-tuple rule consisting of protocol, client IP, and server profile.
15. The non-transitory computer-readable medium of claim 10 , wherein the profile comprises a 2-tuple rule defined by protocol and server profile.
Expanding on the computer-readable medium of claim 10, the profile used by the reverse firewall is defined by a 2-tuple rule consisting of protocol and server profile.
16. The non-transitory computer-readable medium of claim 10 , wherein the profile comprises a 3-tuple rule defined by protocol, server port, and server profile.
Expanding on the computer-readable medium of claim 10, the profile used by the reverse firewall is defined by a 3-tuple rule consisting of protocol, server port, and server profile.
Unknown
August 19, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.